Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

IPSEC and Android Always-on VPN from local network

Locked
 
olegandreych
just joined
Topic Author
Posts: 11
Joined: Thu Dec 06, 2012 5:54 pm

IPSEC and Android Always-on VPN from local network

Wed Apr 18, 2018 10:07 pm

Hello,

I've configured IPSEC Xauth PSK on RB2011UAS-2HnD-IN.

When I establish VPN connection from the Internet using Android 8.0 phone I can access resources both from the Internet and from the local network.
Everything is the same, when I'm connecting from within the local network. Everything changes, when I enable "Always on" in phone's VPN settings. "Always-on" connection established from Internet works just fine.
VPN connection establishes normally from local network but I cannot access any resources neither from local nor from global network. Moreover, I cannot ping router or any resource from phone and cannot ping phone from router neither by it's local addres (from 172.20.88.0/24) nor by it;s VPN address (from 172.20.89.0/24). As far as I can see there is packet traffic according to SAs' counters and sniffed traffic from WLAN.

Can you give me any idea what to look for to resolve issues with network access when VPN established from local network?

Policies:
Code: Select all
[admin@MikroTik] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
 0 T * group=default src-address=172.20.88.0/24 dst-address=172.20.89.0/24
       protocol=all proposal=default template=yes

 1 T   group=default src-address=0.0.0.0/0 dst-address=172.20.89.0/24 protocol=all
       proposal=default template=yes

 2  DA  src-address=0.0.0.0/0 src-port=any dst-address=172.20.89.243/32 dst-port=any
       protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
       sa-src-address=46.163.165.251 sa-dst-address=94.25.176.14 proposal=default
       ph2-count=1

Peer:
Code: Select all
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder

 1   R address=0.0.0.0/0 passive=yes auth-method=pre-shared-key-xauth
       secret="***" generate-policy=port-strict policy-template-group=default
       exchange-mode=main mode-config=cfg1 send-initial-contact=yes
       nat-traversal=yes proposal-check=obey hash-algorithm=sha256
       enc-algorithm=aes-128,3des,des dh-group=modp1024 lifetime=30m
       dpd-interval=2m dpd-maximum-failures=5

Mode Configs:
Code: Select all
[admin@MikroTik] /ip ipsec mode-config> print
Flags: * - default
 0 * name="request-only"

 1   name="cfg1" system-dns=yes static-dns="" address-pool=ipsec
     address-prefix-length=24

Proposal:
Code: Select all
[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha1
      enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=30m
      pfs-group=none
And I have a user with login, password and without address.
My local network IP range is 172.20.88.0/24 and VPN's range is 172.20.89.0/24.
Top
Locked

Who is online

Users browsing this forum: Bing [Bot], jaclaz, pfturner and 74 guests
  4. RouterOS
  5. Beginner Basics